Mobile application security issues and threat vectors in enterprises

According to a recent study, 70% of malware threats to the network come from mobile
applications. Couple this with an IDC statistic which expects mobile application downloads to cross
182.7 billion by 2015 as against 10.7 billion in 2010, and you get a very scary picture.

The need for close scrutiny around mobile application security in the enterprise is a must.
Today, 30% of applications obtain device location without explicit user consent. 14.7% of
applications request permissions to initiate phone calls without user knowledge. Another 6% request
access to all accounts on a device; 4.8% can send SMSs without user involvement or knowledge. This
is one side of the coin. Research reports inform that up to 50% users on the other hand may
not have any mobile app security software installed on their device.

Today’s mobile app threats scenario

As trends like bring your own device (BYOD) takes big strides in the Indian enterprises, it’s
essential to make users aware of issues around mobile applications. Some of these are:

Mobile pick-pocketing: Malware and apps indulge in petty financial fraud such as the
generation of premium SMSs and premium phone-calls without user intervention or approval.

Stealing of personal information: Theft of information like contacts, SMSs and media
files is widespread, especially on open platforms. A huge market exists

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

for such databases.

Spyware: Smartphones have features like cameras, microphones and GPS tracking. Several
apps allow these features to be activated remotely without the user’s knowledge.

Identity theft: This involves spoofing a phone’s parameters and details. With phones
being used as a factor for authentication, this can have serious repercussions. India has already
seen such
cases.

Mobile botnets / relays: Smartphones with powerful 2G/3G/4G connections can be used as
nodes and relays in a botnet. These can be used to generate spam or launch distributed denial of
service (DDoS) attacks.

Access to app data and app user data: Attention needs to be given to how applications
use and store data. Securing this information is essential to your privacy.

Mobile app attack vectors

Rogue developers are keeping pace with newer mobile
application security measures, churning out new and innovative malware and attack channels. The
following attack vectors are pertinent from a mobile application security perspective.

Jailbroken/rooted devices: Bypassing OS control gives unrestricted access to all aspects
and features on the device. This is a double-edged sword. Users should be aware that the process of
Jailbreaking, along with websites that offer this service provide easy conduits to plant malware on
phones with sensitive data.

App repackaging: This is a significant problem in the Android space. Rogue developers
repackage legitimate apps with malware. When unsuspecting consumers install and activate these
apps, the embedded malware can initiate activities to send out premium SMSes, uninstall antivirus
solutions and access sensitive content.
Users may still get the functionality of the original app and be unaware of the background
malicious activity. Use legitimate, platform-supported application stores, check publisher details
and review user feedback on the app’s current version before downloading.

Drive-by downloads: This is a recent development in the mobile space, where accessing
infected sites results in malicious apps being installed without user knowledge. Often, these sites
are safe for regular browsers, but automatic download and installation of an application can be
triggered while using smartphone browsers. Android provides controls to prevent automated
downloads.

Apps from untrusted sources: It doesn’t get worse than downloading and installing and
untrusted/unsigned repackaged app from non-regulated app marketplaces. It is incumbent upon
enterprises to discourage this practice. Approved application stores are the best source of
legitimate apps. Users take grave risks in installing apps whose provenance is unknown, via SD
cards, third-party application stores or even as email attachments. The threats posed by these
applications, ranging from minor inconvenience to major financial fraud.

Operating system/device vulnerabilities: OS/device firmware vulnerabilities are often
exploited by rogue developers while compromising devices. To avoid such threats, use updated
antivirus packages and ensure that devices are updated with all relevant OS and firmware
updates.

App vulnerabilities: Secure application development for mobile platforms is still
immature. Insecure coding can lead to apps acting as a conduit through which malware and attackers
gain control of your device. The best protection is to install a good security solution. Reputed
developers ensure that their apps undergo multiple levels of testing before release to minimize
chances of compromise. Review publicly-available ratings and feedback on apps before
installation.

To sum up

Given the broad range of attack options available to the malware-coder, the precautions
summarized above can go a long way to secure your mobile app experience. Users may be familiar with
these security mechanisms in the traditional computing environment, but they should extend the same
to their mobile devices. Finally, remember the cardinal rule in security; if it sounds too good to
be true, it most likely is!

This tip is based on a talk by Ram Venkatraman, the security practice head at Mahindra Satyam
as part of the DSCI best practices summit held in Bengaluru in July 2012.

Related glossary terms

Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.